Dialysis machine with safety monitoring and a corresponding method for monitoring safety

ABSTRACT

A dialysis machine (1) includes dialysis equipment (4), a control unit (2) controlling normal operation of the machine and a safety unit (3) for monitoring the machine with a view to the problem of patient safety. The control unit controls actuators (6) and receives information from its own sensors (13). The safety unit is connected to the control unit and receives from it parameters relevant to safety which have been measured by the sensors (13) of the control unit and its own sensors (15) to receive values of the parameters and other parameters. If any abnormality is found in the parameters measured, the safety unit sends commands (SSR) relating to safe states which have to be established to the control unit (2) which controls the actuators (6) in a corresponding way. The condition of the actuators is monitored by the safety unit (3) which uses suitable sensors (17) to determine whether the actuators have carried out the required actions, and if not, Switches off the machine with its own actuators (8).

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to a dialysis machine with safety monitoring anda corresponding method for monitoring safety.

2. Description of the Related Art

As is known, dialysis machines incorporate a dialysis unit which isconnected to a patient by means of an extracorporeal circulation lineand which is controlled by means of specific actuators by a controlsystem which ensures that the most appropriate dialysis conditions forthe treatment required are maintained at all times on the basis of theoperator's settings and adjustments.

In order to ensure that the dialysis unit always operates correctly, amonitoring system is generally provided to check consistency between theset conditions and the actual conditions, to reveal any situations whichare potentially hazardous to the patient and to generate correspondingcommands for returning the machine to a non-hazardous situation. In aknown dialysis machine both the control and monitoring functions areperformed by a single processor. This arrangement is howeverdisadvantageous in that it does not ensure a sufficient level of safetyif there should be a fault in the processor, one of the sensors or oneof the actuators. In order to overcome this problem and increase thesafety of the machine, separate control and safety systems each providedwith their own sensors and their own actuators, are provided in anotherknown dialysis machine. This arrangement, according to which in practiceall detection and actuation members are duplicated, in fact provides asufficient level of safety, but at the cost of considerably greaterstructural complexity, which has a repercussion on the cost of themachine itself.

The object of this invention is therefore to provide a dialysis machinewhich overcomes the disadvantages of known machines, and in particularprovides optimum safety in respect of possible faults, with a low systemcost.

SUMMARY OF THE INVENTION

In accordance with this invention a dialysis machine is provided withsafety monitoring comprising a dialysis unit, a plurality of controlactuators for the said dialysis unit, a plurality of control sensors formeasuring the control values of parameters which are of relevance tosafety in the said dialysis unit, a control unit connected to the saidcontrol activators to send control signals and to the said controlsensors to obtain the said control values, a safety unit connected tothe said control unit and comprising means for generating commandscapable of generating commands relating to safe states, and a pluralityof safety sensors to measure the safety of values of the said parameterswhich are relevant to safety in the said dialysis unit, the said safetysensors being connected to the said safety unit, characterised in thatthe said safety unit comprises transmission means capable of sending thesaid commands relating to safe states to the said control unit, in thatthe said control unit includes means for sending activating signalscorresponding to the said commands relating to safe states to the saidcontrol actuators, and in that the said control actuators are associatedwith a plurality of actuator sensors for measuring the operatingparameters of the said control actuators, the said actuator sensorsbeing connected to the said safety unit.

The invention also relates to a method for monitoring safety in adialysis machine which incorporates the stages of:

sending the said commands relating to safe states from the said safetyunit to the said control unit, generating actuation signalscorresponding to the said commands relating to safe states by means ofthe said control unit, sending the said activating signals from the saidcontrol unit to control actuators, measuring operating parameters of thesaid control actuators and sending the said operating parameters to thesaid safety unit.

BRIEF DESCRIPTION OF THE DRAWINGS

For a better understanding of this invention a preferred embodiment willnow be described purely by way of a non-restrictive example, withreference to the appended drawings, in which:

FIG. 1 is a simplified block diagram of a machine according to thepresent invention;

FIG. 2 is a first flow diagram relating to a method of safety monitoringimplemented by the machine in FIG. 1; and

FIG. 3 is a second flow diagram relating to a method of safetymonitoring implemented by the machine in FIG. 1; and

FIG. 4 is a diagram illustrating the passage of commands between theparts of the machine in FIG. 1 when an anomalous condition arises.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

In FIG. 1 the dialysis machine, indicated as a whole by the number 1, isshown in simplified form so as to reveal only the parts of significancefrom the point of view of the safety of the machine itself. Inparticular, the control unit or system 2, the safety unit or system 3, adialysis unit 4 and a plurality of actuators and sensors are shown inFIG. 1.

As illustrated, the actuators are divided into a first group, indicatedby 6, connected to control unit 2 via incoming line 7, and include allthe actuators necessary for carrying out dialysis treatment (e.g. pumps,valves, pressure regulators), added to a second group, indicated by 8and connected to safety section 3 by ingoing line 9, which include allthe actuators necessary for shutting down the machine and isolating thepatient when a general safety condition is activated by safety unit 3 aswill be described in greater detail below. The interactions betweengroups of actuators 6 and 8 and dialysis unit 4 are shown symbolicallyin FIG. 1 by dashed lines 10 and 11 respectively.

The sensors on the other hand are divided into three groups: a firstgroup, indicated by 13 (control sensors), is connected to control unit 2via outgoing line 14 to which the sensors provide CSS signalscorresponding to the values which they have measured of the parametersof significance to safety (CRC signals) and the measured values of othercharacteristic parameters (such as flow and speed) which determine theprogress of dialysis treatment. A second group, indicated by 15 (safetysensors), is connected to safety unit 3 via outgoing line 16 to whichthe sensors 15 provide PSS signals corresponding to the values whichthey have determined for the said parameters measured by sensors 13 andother parameters which are relevant to safety (SRP signals) and a numberof items of information which are necessary to check that the safetyunit itself is functioning correctly; and a third group, indicated by 17(actuator sensors) is connected to safety unit 3 via outgoing line 18 toprovide the latter with the values which these have determined of theoperating parameters of actuators 6 set by control unit 2. In generaltherefore some of control sensors 13 (and more specifically those whichmeasure parameters relevant to safety in dialysis unit 4) are duplicatedby safety sensors 1S, for reasons which will become apparent below. Theinteraction between control sensors and safety sensors 13, 15 withdialysis unit 4 and between actuator sensors 17 and actuators 6 is shownsymbolically in FIG. 1 by dashed lines 19, 20 and 21 respectively.

Control unit 2, which sets and adjusts the parameters and quantitiesrequired for correct performance of the dialysis treatment consists ofthree parts: a master 22 supervising control unit 2 and communicatingwith safety unit 3, a blood module 23 and a hydraulic module 24 which,under control of the master, generate the specific commands to the partsof dialysis unit 4 which are involved with the flow of blood and theflow of dialysis fluid respectively and which will not be described indetail as they are not pertinent to this invention.

Safety unit 3, which monitors conditions in relation to the problem ofmachine safety in relation to the patient, in turn comprises a CPUprocessing unit 25, a memory 26 and a clock CLK 27. Safety unit 3 isconnected with two inputs 28 and 29, of which unit 28 is capable ofreceiving the initial set values SVP and SVC, e.g. following manualinputting by an operator, and of passing these via lines 30 and 31 tosafety unit 3 and control unit 2 respectively, while unit 29 receivesthe requests for manual intervention by the operator in an alarmsituation and generates a corresponding signal (override signal ORR)passed to safety unit 3 along line 32. Also safety unit 3 is connectedby outgoing line 34 to an alarm actuator 35 (e.g. an illuminated and/oracoustic alarm) to indicate to the operator that an alarm conditionexists, and via an outgoing line 44 to a screen 45 for the display ofmessages to the operator.

Dialysis unit 4 in which a patient's blood is dialysed incorporates allthe physical components (apart from the actuators, which are shownseparately) necessary for performing the dialysis itself, and can beconnected to a patient who is to undergo dialysis via extracorporealcirculation lines 37, 38 which enter and leave dialysis unitrespectively.

Control unit 2 and safety unit 3 exchange information and instructions,as explained in detail below, via a pair of lines 39, 40, andspecifically line 39, which leaves control unit 2, is used by the latterto pass the values of the parameters relevant to safety (SRC signals)measured by its own sensors 13 to safety unit 3, while line 40, whichleaves safety unit 3, is used by the latter to send the necessaryinstructions for implementing a safety state (SSR signals) to monitoringunit 2, as will be seen below.

Safety unit 3 of dialysis machine 1 according to the invention isdesigned to cope with all the anomalous situations which might endangerthe patient, placing the machine in a safe condition as defined by thestandard established by the approval authorities. With this object thesafety system is brought into action as a result of which the safetyunit receives as inputs all the parameters necessary for carrying outperiodical monitoring (safety-relevant parameters) and checks that theseparameters are consistent and that no unforeseen situation is obtained.If an anomaly should occur, after any transitory disturbance conditionshave been ruled out, the safety unit determines what state the machineshould be in so as not to constitute a hazard to the patient, and sendscontrol unit 2 commands in respect of the actions which must be carriedout by the actuators to overcome the situation (commands relating to asafe state). Control unit 2 processes these commands through master 22and blood and hydraulic modules 23, 24 and generates correspondingcontrol instructions for its own actuators. The actions corresponding tothese control instructions, as carried out by control actuators 6, aremonitored by actuator sensors 17 which send the corresponding signals tosafety unit 3. Safety unit 3 then checks that these actions have beenperformed correctly, after a predetermined period which allows time forall the components involved to carry out the necessary operations. Ifthe outcome of the check is favorable the machine remains in the safecondition until the cause which gave rise to the alarm is corrected(i.e. until the periodical test yields a negative result). If theoutcome of the check is negative it is assumed that the machine issuffering a significant functional problem due to a fault in controlunit 2 or actuators 6 or sensors 17. In this situation dialysis machine1 is no longer in a position to operate reliably and there is a risk tothe patient. As a consequence safety unit 3 generates a general safecondition activating its own safety actuators 8 so as to preventdialysis fluid from flowing through the haemodialysis filter, shuttingdown the ultrafiltration pump, shutting down the blood module pump andpreventing blood from re-entering the vein. In this way the machine isshut down and the patient is isolated.

The performance of the periodical test will now be described in greaterdetail with reference to FIG. 2. As is known, after the periodical testhas been initiated safety unit 3 receives the values for the safetyrelevant parameters SR (SRC from the control unit and SRP from thesafety unit) measured by sensors 13 and 15 and the SV values input bythe operator (block 50) and then (block 51) checks that these values areconsistent and meet predetermined conditions stored in its memory 26. Inparticular the safety unit carries out a specific check for eachcondition which has to be checked. In general the checking of acondition consists of checking a directly measurable parameter (such ase.g. the temperature of the dialysate or venous pressure), but may alsoinclude an evaluation of different parameters and their mutualrelationships (such as in the case of biofiltration flow, which requiresamong other things a check to ensure that the ratio between the signalprovided by the infusion pump position sensor and the signal relating tothe position of the encoder teeth for that pump is correct). If thecheck is satisfactory (YES output from block 51) safety unit 3 cancelsthe alarm message previously sent to the operator by screen 45 (block54). The periodical test is then concluded.

Vice versa, if an anomalous condition is found in one or more of thechecks (an excessive difference between the SRC and SRP values recordedby sensors 13 and 15, or between the measured and set values for SV, orincorrect correlations between any of the measured parameters), safetyunit 3 sends alarm signal AS to corresponding actuator 35 (block 56) andchecks whether an override request is present (block 63). This overrideprocedure allows the operator to intervene manually, effecting a maximumreduction in the specific configurations required from the machine whenan anomaly exists, and may only be maintained for a predetermined periodof time T. If the operator has not activated the override request (bythe ORR signal in FIG. 1, NO output from block 63) a safe conditionrequest SSR, (block 64), is generated, otherwise (YES output) a check ismade to see if this override request is present for a time t which isgreater than predetermined time T (block 65). For this purpose, and inasynchronous manner which is not illustrated, on receiving the ORRsignal the safety unit activates a specific counter whose content isindicative of time t. If the override request has already been presentfor a time greater than T (YES output from block 65) then the systempasses to block 59 in which the override request is deactivated in amanner which will be described in greater detail with reference to FIG.4.

If instead the override request has been present for a time t less thanpredetermined time T (NO output from block 65) the system passes toblock 66 in which the safety unit generates a stand-by safe condition,i.e. one in which the specific safety configurations requested by safetyunit 3 are reduced to the maximum extent (in any event in accordancewith the standards). This enables the operator to act on dialysis unit 4to remove the cause which brought about the alarm.

After generating the request for a safe condition, whether stand-by ornot, the safety unit sends it to control unit 2 along line 40 (block 70)and then checks that a time Ti since the sending of that request (block71), which is characteristic for each specific state in the SSR request,has expired. As already indicated, this check is provided to ensure thatmachine 1 has sufficient time to react to the request.

To clarify this point, reference is first made to FIG. 3, which showsthe format of SSR request and the specified associated execution times.As will be noted, each SSR request comprises a vector 77 subdivided intoseveral fields 78, each of which stores in memory the condition,indicated by S₁, S₂, . . . , S_(n), which must be adopted by acorresponding control quantity or parameter for actuators 6. Individualfields 78 of vector 77 may be empty, in which case the correspondingquantities do not need to be altered. In any event a value T₁, T₂, . . ., T_(i) which specifies the time allowed for executing the commandsassociated with each state S_(i) is associated with each state, as showndiagrammatically in FIG. 3 by vector 79.

The format of the overall SSR safe condition request shown in FIG. 3 isalso common to individual specific safe condition requests SSSR, each ofwhich is associated with a specific anomaly (anomalous condition in thesense indicated above). The SSR request thus results from the sum of allthe requests for specific safe conditions, resolving anyincompatibilities which may arise, as will be explained below withreference to the flow diagram in FIG. 4.

As a consequence, if the safe condition requests for all conditionsS_(i) are sent in a time t_(i) <T_(i), the safety unit ends the test inprogress. In subsequent tests safety unit 3 checks if any new alarms arepresent relating to conditions different from those which caused thefirst SSR request to be sent, and checks if an override request has beenactivated. The existence of only one of these two situations wouldnaturally result in a change in the request for the safe condition andpossibly in the initialising of the counters (not shown) which areassociated with each new conditions S_(i) and which count the time fromthe sending of the SSR including any new condition S_(i), failing whichthe same request is maintained.

As soon as the time T_(i) specified for a specific condition among theS_(i) conditions requested has passed (YES output from block 71), safetyunit 3 obtains the values of the operating parameters set by controlunit 2 specified by that specific condition S_(i) (block 72) fromsensors 17 and checks that these are correct (block 73). If theparameters are correct (YES output from block 73), demonstrating thatthe machine 1 is operating correctly, the test cycle carried out at thattime is terminated.

If instead after period of time T_(i) provided by the specific conditionfor carrying out the orders resulting from the safe condition imposedthe functional parameters relating to their specific condition have notreached their correct values (NO output from block 72), then safety unit3 generates a general safe condition (block 74), sending the appropriatecommands to its own safety actuators 8 so as to ensure that the commandsare carried out independently of the condition of the rest of themachine.

The generation of the request for a safe condition will now be describedin greater detail with reference to FIG. 4. In that figure, when analarm is present safety unit 3 checks whether a single anomalouscondition is present (block 80). If this is the case (YES output fromblock 80), safety unit 3 reads vector 77 relating to a specific safecondition request SSSR (block 81) from its own memory 26 and then placesvector SSR equal to vector SSSR which has been just read (block 82). Ifnot (NO output from block 80) safety unit 3 reads the SSSR vectorscorresponding to all anomalous conditions found (block 84), checkswhether these vectors specify incompatible requests (block 85) and ifthis is not the case (NO output) generates vector SSR as the sum of theindividual SSSR vectors which have just been read (block 86). If this isnot the case (YES output from block 85) safety unit 3 reads a priorityscale stored in memory 26 (block 87) and deactivates the commandsassociated with the condition or conditions S_(i) of lower priority(block 88). Subsequently safety unit 3 determines the SSR vector in theway already described with reference to block 86. Obviously, and in amanner which is not illustrated in the figure, when an override requestis present the SSR vector determined in this way is marked, in the sensethat the fields relating to the parameters for which the operatorspecifies manual intervention are reduced to essentials by individualchecks (in accordance with the standards).

The dialysis machine and the method of safety monitoring according tothis invention have the following advantages. In the first placeduplication of the components involved in safety monitoring is reducedto a minimum, and specifically it is restricted to the sensors whichmeasure the safety relevant parameters (some of the sensors in group 13and some of the sensors in group 15), as well as actuators 8 which areessential for shutting down the machine if a general safe conditionrequest is present. As a consequence the construction and operatingcosts of the components are reduced to a minimum, without having anadverse effect on the service provided by the machine as regards itssafety.

Both the machine and the corresponding method are extremely reliable andcapable of coping with virtually all anomalous situations which arise,by attempting to overcome the specific anomaly or anomalies occurring,or in any event being in a position to shut down the machine in extremecircumstances.

Finally it is clear that modifications and variants which do not gobeyond the scope of the invention itself may be made to the machine andmethod here described and illustrated. In particular it is emphasisedthat certain operations and functions can be carried out by ahierarchically superior processing system, instead of safety unit 3,which controls the safety unit in such a way as to take into account yetother parameters or quantities which are not directly correlated withthe safety of the machine, or in any event to control certain functionsin a centralised manner. In particular the controls on the duration ofthe override request and on the delay with which the parameters ofactuators 6 is checked may be conveniently controlled at a higher level.

Also, instead of applying overall control to all anomalous conditionsand then generating individual requests for safe conditions, it may beadvantageous to provide a sequential chain, one for each condition whichhas to be checked, each of which comprises determination of thequantities required for a specific monitoring function, checkingconsistency, generating alarms and generating specific safe conditionrequests.

What is claimed is:
 1. A system for providing monitored treatment to apatient, comprising:a dialysis unit for providing treatment to apatient; a first group of actuators adapted for operating the dialysisunit; a second group of actuators operative for shutting off operationof the dialysis unit when the system is set to a general safe condition;a control unit operative for controlling the first group of actuators inaccordance with set values of control parameters, set values of safetyparameters, and actual values of the safety parameters determined usinga first group of sensors; a safety unit operatively connected to thedialysis unit and operative for monitoring at regular intervals actualvalues of the safety parameters and for selectively setting the systemin the general safe condition; the first group of sensors beingcommunicatively connected to the control unit and operative forproviding the control unit with information indicative of both theactual values of the safety parameters and treatment progressparameters, wherein at least a subgroup of the first group of sensorsprovides, through the control unit, the actual values of the safetyparameters to the safety unit; a second group of sensors communicativelyconnected to the safety unit and operative for providing the safety unitwith information indicative of the actual values of both the safetyparameters and parameters indicative of an operative condition of thesafety unit; and a third group of sensors communicatively connected tothe safety unit operative for providing the safety unit with informationindicative of an actual operative condition of the first group ofactuators when the system is in the general safe condition, the thirdgroup of sensors being operative for communication with the safety unitin response to the safety unit detecting a patient endangering anomaloussituation resulting from inconsistent information detected by one ormore sensors of the first group or the second group.
 2. The systemaccording to claim 1, wherein the safety unit includes means for settingthe system in the general safe condition in accordance with the actualvalues of the parameters indicative of an operative condition of thesafety unit.
 3. The system according to claim 1, wherein the safety unitincludes means for setting the system in the general safe condition inaccordance with the information indicative of an actual operativecondition of the first group of actuators.
 4. The system according toclaim 1, wherein the safety unit includes means for receiving the setvalues of the control parameters.
 5. The system according to claim 1,wherein the safety unit includes means for controlling the second groupof actuators to shut off operation of the dialysis unit when the systemis set in the general safe condition.
 6. The system according to claim1, further comprising an alarm actuator, connected to the safety unit,for producing an alarm upon occurrence of a preset alarm condition. 7.The system according to claim 1, further comprising an override unitconnected to the safety unit for preventing the safety unit from settingthe system in the general safe condition for a predetermined period oftime upon command of an operator.
 8. A method for monitoring aprogressive extracorporeal blood treatment using a dialysis unit, amethod comprising the steps of:providing preset values of operatingparameters and safety parameters; treating a patient based on the presetvalues of the operating parameters and the safety parameters;determining actual values of the operating parameters and the safetyparameters using a first group of sensors; determining actual values ofthe operating parameters and the safety parameters using a second groupof sensors; checking whether the actual values of the safety parametersdetermined using the first group of sensors are consistent with thepreset values of the safety parameters and the actual values of thesafety parameters determined using the second group of sensors; settingthe dialysis unit to a predetermined safety state when there exists aninconsistency between a preset safety parameter value, an actual safetyparameter value determined using at least one of the first group ofsensors, and an actual safety parameter value determined using at leastone of the second group of sensors; determining the treatment's progressbased on actual values of operating parameters determined using a thirdgroup of sensors; and shutting off the dialysis unit at times when thetreatment's progress does not reach a predetermined level.
 9. The methodaccording to claim 8, further comprising, the step of triggering atleast a first alarm upon determining that the determined values of thesafety parameters using the first group of sensors are not consistentwith the preset values of the safety parameters.
 10. The methodaccording to claim 9, further comprising, the step of triggering asecond alarm upon determining that the determined values of the safetyparameters using the first group of sensors are not consistent with thedetermined values of the safety parameters using the second group ofsensors.
 11. The method according to claim 10, wherein the first alarmis associated with a first safety state and the second alarm isassociated with a second safety state.
 12. The method according to claim11, further comprising, determining a priority between the first safetystate and the second safety state upon triggering of at least twoalarms, and setting the dialysis unit to the one having a higherpriority of the first safety state and second safety state.
 13. Themethod according to claim 9, further comprising the step of overridingat least the first alarm.
 14. The method according to claim 8, wherein apredetermined period of time is caused to lapse before the step ofdetermining the treatment's progress based on the determined values ofthe operating parameters using the third group of sensors and after thestep of setting the dialysis unit to the safety state.
 15. A system forproviding monitored treatment to a patient, the system comprising:adialysis unit; means for storing preset values of operating parametersand safety parameters; means for controlling the dialysis unit to treata patient based on the preset values of the operating parameters and thesafety parameters; a first group of sensors operative for determiningactual values of the operating parameters, indicative of treatmentprogress, and the safety parameters; a second group of sensors operativefor determining actual values of the operating parameters and the safetyparameters; means for checking consistency between the actual values ofthe safety parameters determined using the first group of sensors, thepreset values of the safety parameters, and the actual values of thesafety parameters determined using the second group of sensors; meansfor setting the dialysis unit to a predetermined safety state when thechecking means detects an inconsistency between a preset safetyparameter value, an actual safety parameter value determined using atleast one of the first group of sensors, and an actual safety parametervalue determined using at least one of the second group of sensors;means for determining, when the dialysis unit is in the safety state,the treatment's progress based on actual values of operating parametersdetermined using a third group of sensors; and means for shutting offthe dialysis unit at times when the treatment's progress does not reacha predetermined level.